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Introduction 


The “European Principles Documents”, consist of the IAB Europe OBA Framework, EASA Best 
Practice Recommendation on OBA, Technical Specifications for use of the OBA Icon across Europe, 
and a set of Self-Certification Criteria. Together, these documents apply consumer friendly 
standards to Online Behavioural Advertising. 


The “Self-certification criteria for companies participating in the European Self-Regulatory 
Programme on OBA”, provide a comprehensive set of criteria for self-certification of compliance. 
Self-certification of compliance shall be limited to those requirements applicable to each 
signatory’s business model; however, should a signatory be subject to multiple obligations, self- 
certification must cover all such applicable provisions. In other words, if a signatory fulfils more 
than one role in the advertising eco-system, then it should comply with the requirements 
applicable to each of these roles. 


Self-certification of compliance under this document and the OBA Self-Regulatory Programme does 
not exempt Companies from fulfilling their obligations under applicable national laws. 


This form represents the technical means for companies to submit their Self-Certification of 
compliance to EDAA. The data collected via this form will only be used by EDAA and by approved 
Independent Certification Providers, and only for the specific purpose of ensuring compliance with 
the OBA Self-Regulatory Programme. 


This PDF version is aimed at facilitating the gathering of information internally (between IT, legal, 
commercial teams) in order to ensure that the self-certification is completed in a fully 
comprehensive and accurate manner. The final submission must be made via the online form - or by 
sending us a signed copy at info@edaa.eu - within six months of licensing. Please, retain a copy for 
you own records. 


N.B. All companies acting as Third Parties within the Programme, following their 
self-certification, must complete the final compliance step by undergoing an independent 


verification of compliance through one of multiple approved Certification Providers. Further 
information on this final step, along with contact details of providers, can be found here. 


EDAA Licence Agreements 


Using the dropdown box below, please let us know which valid EDAA Licence Agreement your 
company currently holds: 


OBA Icon (Third Party version) 


Submitting your Self-Certification form 


Please note that all fields and dropdown questions have to be completed in order to submit a valid 
self-certification form. Please complete not applicable fields with 'N/A' 


1. Company information 


1.1. 


Identification data 


e Company name: 


e Company registered address: 


fe) 


Q 


O 


O 


fe) 


Building/number: 
Street Address: 
City: 

Post code: 


Country: 


e Company correspondence address (if different from registered address): 


o 
o 
fe) 
fe) 
fe) 

1.2. 

1.3. 

e Name: 


Building/number: 
Street Address: 
City: 

Post code: 


Country: 


Company VAT Number: 


Contact person: 


e Email address: 


e Phone number: 


1.4. 


Role in the market place 


Check all that apply: 


[| Company is involved in OBA. 


If Company is involved in OBA, please tick the applicable boxes below: 


[| Company acts as a Web Site Operator, Advertiser of Agency: 


[ | Company acts solely as a Web Site Operator! 


[_|company acts as a Web Site Operator and also sells advertising inventory on 
web sites under Common Control? via a Sales House or similar subsidiary 


1 As defined in the European Industry Self- 
Regulatory Programme on Data Driven Advertising 


2 As defined in the European Principles documents 


[| Company acts as a Third Party? 
| Jaa Network 


| Jaa Server 


| [OBA Provider 

| Jaa Exchange 

[| Demand Side Platform 

[| Supply Side Platform 

[ Jother Third-Party role, please describe: 


2. Specific criteria and best-practice recommendations for self- 
certification of compliance 


Under the terms of the European Industry Self-Regulatory Programme on Data Driven Advertising 
and EASA Best Practice Recommendation on Online Behavioural Advertising, a number of 
provisions apply differently to participating companies, according to their role in the 
online advertising value chain. A participant can simultaneously play several roles; in 
such circumstances, self-certification must cover all applicable provisions. 


2.1. Criteria for self-certification of compliance — Third Parties 


2.1.1. Data security 


Safeguards 
Companies should maintain appropriate physical, electronic, and administrative safeguards to 
protect the data collected and used for OBA purposes, including any backups. 


1. Does the company implement appropriate physical safeguards? Please describe: 


mee 


A the company implement appropriate electronic safeguards? Please 
escribe: 


Sooo 


3: l [Does the company implement appropriate administrative safeguards? 
Please describe: 


3 As defined in the European Principles Documents 


— 


Data Storage 


Companies should retain data that is collected and used for OBA only for as long as necessary to 
fulfil a legitimate business need, or as required by law. 


> |Does the company have clear policies regarding retention of data collected for 
OBA purposes? Please describe: 


2.1.2. Sensitive Segmentation 


Children’s segmentation 
[| The company DOES NOT create segments for OBA purposes that are specifically designed 
to target children (age 12 and under). 


Other sensitive segments 
1; Does the company seek to create or use OBA segments relying on use of 
sensitive personal data, as defined under Article 8.1 of Directive 95/46/EC 


(racial or ethnic origin, political opinions, religious or philosophical beliefs, 
trade-union membership, health, sex-life)? 


2: If you have selected the box above, does the company obtain web users’ 
Explicit Consent, prior to engaging in OBA using that information? 


2.1.3. Education 


[ To the extent that the company engages in OBA, please describe how you provide 
information to inform individuals and businesses about OBA, including easily accessible 
information about how data for OBA purposes is obtained, how it is used and how web 
user choice may be exercised: 


2.1.4. Complaints Handling 


Web users may make complaints about incidents of suspected non-compliance with the 
European Principles. While web users will have available a number of ways to make complaints, 
Companies must ensure that, regardless of what means the user uses to submit the complaint 
(whether directly to the Company or through an industry or self-regulatory body), proper 
processes are in place to ensure a timely and satisfactory response and resolution of the issue, if 
necessary. 
Does the company implement internal complaint handling mechanisms? 
1 fs ae eR — i i 


2. What is the time interval to respond to user complaints and address the substance of the 
complaint? [on 


3. Describe the mechanism for complaints to be filed directly with the company: 


4. If applicable, describe the process in place for responding to enquiries made by national 
self-regulatory organisations on OBA-related issues and formal unresolved OBA 
complaints: 


————— 


2.1.5. Third Party Privacy Notice 


Third Parties should give clear and comprehensible notice on their websites describing their 
OBA data collection and use practices. 


1. [| The company provides a Third Party Privacy Notice. 
2. [| The Third Party Privacy Notice is written in simple, layman’s language. 


3: [| The link to the Third Party Privacy Notice is easily accessible for users. Please 
describe how a user can reach this Third Party Privacy Notice on the Company’s 
website: 


a 


4. [| The Third Party Privacy Notice is distinct from the “Terms and Conditions” section 
of the website. Please provide the URL of this notice: 


The Third Party Privacy Notice includes the following information (check all that apply): 
1; [| Third party’s identity and contact details. 


Zz | |The types of data collected and used for the purpose of providing OBA, 
including an indication as to whether any data collected is “personal data” or 
“sensitive personal data” as defined by the relevant national implementation of 
Directive 95/46/EC. 


3. [| The purpose or purposes for which OBA data is processed and the recipients 
or categories of recipients not under Common Control to whom such data might 
be disclosed. 


4. | ]A link to the OBA User Choice Site. 


5: [an easy-to-use mechanism for allowing Internet users to exercise choice with 
regard to the collection and use of data for OBA purposes and to the transfer of 
such data to Third Parties for OBA; this mechanism shall be a link to the opt- 
out page of the OBA User Choice Site and, if desired, an alternative User 
Preference Management tool implemented by the Third Party on its own web 


page. 


6. [a statement to the effect that the Company adheres to the European 
ndustry Self-Regulatory Programme on Data Driven Advertising 


7. [| Other relevant information (please describe): 


ey 


2.1.6. Third Party Enhanced Notice 


Third Parties should provide “enhanced notice” of the collection and use of data for OBA 
purposes via the Ad Marker in or around the advertisement, in accordance with the provisions 
of the Technical Specifications. 


[ | The Company, displays OBA ads, and provides “enhanced notice” of data collection and use 
for OBA purposes via the Ad Marker, in accordance with the Technical Specifications. The 
Company holds (or has started the application process for) an OBA Icon licence. 


[ | The Company, acting as a Third Party, is involved in OBA but without displaying OBA ads. 
The Company has appropriate arrangements with partners along the ads delivery chain to 
provide the Third Party Enhanced Notice. 


Each 


2.1.7. User Choice 


Third Party should make available a mechanism for web users to exercise their choice with 


respect to the collection and use of data for OBA purposes and the transfer of such data to Third 
Parties for OBA. 
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; [ | The Company displays the Third Party Enhanced Notice, and provides a clear link 
from the Ad Marker or from the interstitial page* to the OBA User Choice Site. 


: [| |The company acts as an OBA Provider or is using its own means to uniquely identify 
a browser (i.e. cookies or any other technical solutions); integration of the Third Party 
with the user choice mechanism hosted on the OBA User Choice Site is in place and 
works reliably over time. 


: [ | The company is not using technologies in order to circumvent the user’s express 
choices (for example by deliberately “re-spawning” deleted cookies). 


2.1.8. Explicit consent 


Does the company collect data via specific technologies or practices that are 
intended to harvest data from all or substantially all URLs traversed by a particular 
computer or device across multiple web domains and use such data for OBA? 


The company seeks to create or use OBAsegments relying on use of sensitive 
personal data as defined under Article 8.1 of Directive 95/46/EC (see 2.1.2 above)? 


If you have selected the check box above, does the company obtain web user's 
Explicit Consent, prior to engaging in OBA using that information? 


Withdrawal of Explicit Consent: 


T; [| Users are provided with an easy to use mechanism to withdraw their Explicit 
Consent to the collection and use of OBA data; please describe the mechanism: 


4As per the Technical Specifications 


— 


There is a clear, dedicated link (i.e. not in the Terms and Conditions or a similar 
page) from the company’s home page to the withdrawal mechanism; please provide 
the withdrawal mechanism URL: 


N 


3: [ | While the wording that should appear on the link is not prescribed, it must be 
easily understood by the users; please provide the wording: 


B 


; [ | The withdrawal mechanism is simple and does not ask users for any additional 
data; 


5: [ | Once the user has withdrawn the Explicit Consent, collection and use of OBA data 
stops. 


2:2; Best-practice recommendations for self-certification of 
compliance 


Under the terms of the European Industry Self-Regulatory Programme on Data Driven Advertising 
and EASA Best Practice Recommendation on Online Behavioural Advertising, a number of 
provisions apply differently to signatories, according to their role in the online advertising 
value chain. A signatory can simultaneously play several roles; in such circumstances, 
self-certification must cover all applicable provisions 


2.2.1. Best practice recommendation - Advertisers 


ie company acts as an Advertiser. 


[wien the company, on its own site(s), permits data to be collected by Third Parties in order 
to be used on a web site not under Common Control’ for OBA purposes, thus acting as a Web 
Site Operator®, the company provides adequate disclosure of this arrangement, as per the 
European Industry Self-Regulatory Programme on Data Driven Advertising and Technical 
Specifications. 


2.2.2. Best practice recommendation - Agencies 


| |The company acts as an Agency. 


| [When the company, on its own site(s), permits data to be collected by Third Parties in order 


to be used on a web site not under Common Control for OBA purposes, thus acting as a Web Site 
Operator, the company provides adequate disclosure of this arrangement, as per the IAB Europe 


OBA framework and Technical Specifications. 


2.2.3. Best practice recommendation - Publishers 


| |The company acts as a Web Site Operator. 


| [When the company, on its own site(s), permits data to be collected by Third Parties in order 
to be used on a web site not under Common Control for OBA purposes and the Ad Marker is not 
provided by these Third Parties, the company provides adequate disclosure of this 
arrangement via a link in the footer, having the following characteristics: 


5 As defined in the European Industry Self- 
Regulatory Programme on Data Driven 
Advertising 

6 As defined in the European Industry Self- 
Regulatory Programme on Data Driven 
Advertising 


° [|The link is placed in the footer of all pages, and is distinct from the “Terms and 
Conditions” link; 


e Please provide the wording that you use in your footer link: 


° e Jo you use the OBA Icon to provide the adequate disclosure’? 


e Please provide the URL of the information page that opens when clicking on the footer 
link: 


e The information page contains: 


o [Ja list of Third Parties who are active on the site and with which the user, 
wittingly or unwittingly, may be interacting; 


Ô [|Links to further information on OBA and online privacy, including the OBA 
User Choice Site; 


o C] Any other information that supports user understanding and the aims of the 
OBA Self-Regulatory Programme. 


Date: 
Signed by: 


Signature: 


7 Using the OBA Icon is not mandatory for Web Site Operators, as per the European Principles Documents 
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